Commit 340ed90d authored by Romain Perier's avatar Romain Perier

Update to 4.19.28

parent 22610f26
linux (4.19.27-1) UNRELEASED; urgency=medium
linux (4.19.28-1) UNRELEASED; urgency=medium
* New upstream stable update:
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.21
......@@ -599,6 +599,78 @@ linux (4.19.27-1) UNRELEASED; urgency=medium
- hugetlbfs: fix races and page leaks during migration
- [mips*] fix truncation in __cmpxchg_small for short values
- [x86] uaccess: Don't leak the AC flag into __put_user() value evaluation
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.28
- cpufreq: Use struct kobj_attribute instead of struct global_attr
- staging: erofs: fix mis-acted TAIL merging behavior
- USB: serial: option: add Telit ME910 ECM composition
- USB: serial: cp210x: add ID for Ingenico 3070
- USB: serial: ftdi_sio: add ID for Hjelmslund Electronics USB485
- [x86] staging: comedi: ni_660x: fix missing break in switch statement
- [x86, arm64, armhf] staging: android: ashmem: Don't call fallocate() with
ashmem_mutex held.
- [x86, arm64, armhf] staging: android: ashmem: Avoid range_alloc()
allocation with ashmem_mutex held.
- ip6mr: Do not call __IP6_INC_STATS() from preemptible context
- [arm64, armhf] net: dsa: mv88e6xxx: handle unknown duplex modes gracefully
in mv88e6xxx_port_set_duplex
- [arm64, armhf] net: dsa: mv88e6xxx: fix number of internal PHYs for
88E6x90 family
- net: sched: put back q.qlen into a single location
- net-sysfs: Fix mem leak in netdev_register_kobject
- qmi_wwan: Add support for Quectel EG12/EM12
- sctp: call iov_iter_revert() after sending ABORT
- sky2: Disable MSI on Dell Inspiron 1545 and Gateway P-79
- team: Free BPF filter when unregistering netdev
- tipc: fix RDM/DGRAM connect() regression
- bnxt_en: Drop oversize TX packets to prevent errors.
- geneve: correctly handle ipv6.disable module parameter
- [x86] hv_netvsc: Fix IP header checksum for coalesced packets
- ipv4: Add ICMPv6 support when parse route ipproto
- lan743x: Fix TX Stall Issue
- [arm64, armhf] net: dsa: mv88e6xxx: Fix statistics on mv88e6161
- [arm64, armhf] net: dsa: mv88e6xxx: Fix u64 statistics
- net: netem: fix skb length BUG_ON in __skb_to_sgvec
- net: nfc: Fix NULL dereference on nfc_llcp_build_tlv fails
- net: phy: Micrel KSZ8061: link failure after cable connect
- [arm64, armhf] net: phy: phylink: fix uninitialized variable in
phylink_get_mac_state
- net: sit: fix memory leak in sit_init_net()
- net: socket: set sock->sk to NULL after calling proto_ops::release()
- tipc: fix race condition causing hung sendto
- tun: fix blocking read
- [x86, arm64, armhf] xen-netback: don't populate the hash cache on XenBus
disconnect
- [x86, arm64, armhf] xen-netback: fix occasional leak of grant ref mappings
under memory pressure
- tun: remove unnecessary memory barrier
- net: Add __icmp_send helper.
- ipv4: Return error for RTA_VIA attribute
- ipv6: Return error for RTA_VIA attribute
- mpls: Return error for RTA_GATEWAY attribute
- ipv4: Pass original device to ip_rcv_finish_core
- [arm64, armhf] net: dsa: mv88e6xxx: power serdes on/off for 10G interfaces
on 6390X
- [arm64, armhf] net: dsa: mv88e6xxx: prevent interrupt storm caused by
mv88e6390x_port_set_cmode
- net/sched: act_ipt: fix refcount leak when replace fails
- net/sched: act_skbedit: fix refcount leak when replace fails
- net: sched: act_tunnel_key: fix NULL pointer dereference during init
- [x86] CPU/AMD: Set the CPB bit unconditionally on F17h
- [x86] boot/compressed/64: Do not read legacy ROM on EFI system
- tracing: Fix event filters and triggers to handle negative numbers
- usb: xhci: Fix for Enabling USB ROLE SWITCH QUIRK on
INTEL_SUNRISEPOINT_LP_XHCI
- [x86, powerpc*] applicom: Fix potential Spectre v1 vulnerabilities
- [mips*] irq: Allocate accurate order pages for irq stack
- aio: Fix locking in aio_poll()
- xtensa: fix get_wchan
- gnss: sirf: fix premature wakeup interrupt enable
- USB: serial: cp210x: fix GPIO in autosuspend
- Bluetooth: btrtl: Restore old logic to assume firmware is already loaded
- Bluetooth: Fix locking in bt_accept_enqueue() for BH context
- exec: Fix mem leak in kernel_read_file (CVE-2019-8980)
- scsi: core: reset host byte in DID_NEXUS_FAILURE case
- bpf: fix sanitation rewrite in case of non-pointers
[ Ben Hutchings ]
* [sparc64] udeb: Use standard module list in nic-modules; add i2c-modules
......@@ -632,7 +704,6 @@ linux (4.19.27-1) UNRELEASED; urgency=medium
[ Salvatore Bonaccorso ]
* Btrfs: fix corruption reading shared and compressed extents after hole
punching (Closes: #922306)
* exec: Fix mem leak in kernel_read_file (CVE-2019-8980)
[ Vagrant Cascadian ]
* [arm64] Add patch from v4.20 to enable device-tree for Pine64-LTS.
......
From: YueHaibing <yuehaibing@huawei.com>
Date: Tue, 19 Feb 2019 10:10:38 +0800
Subject: exec: Fix mem leak in kernel_read_file
Origin: https://git.kernel.org/linus/f612acfae86af7ecad754ae6a46019be9da05b8e
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-8980
syzkaller report this:
BUG: memory leak
unreferenced object 0xffffc9000488d000 (size 9195520):
comm "syz-executor.0", pid 2752, jiffies 4294787496 (age 18.757s)
hex dump (first 32 bytes):
ff ff ff ff ff ff ff ff a8 00 00 00 01 00 00 00 ................
02 00 00 00 00 00 00 00 80 a1 7a c1 ff ff ff ff ..........z.....
backtrace:
[<000000000863775c>] __vmalloc_node mm/vmalloc.c:1795 [inline]
[<000000000863775c>] __vmalloc_node_flags mm/vmalloc.c:1809 [inline]
[<000000000863775c>] vmalloc+0x8c/0xb0 mm/vmalloc.c:1831
[<000000003f668111>] kernel_read_file+0x58f/0x7d0 fs/exec.c:924
[<000000002385813f>] kernel_read_file_from_fd+0x49/0x80 fs/exec.c:993
[<0000000011953ff1>] __do_sys_finit_module+0x13b/0x2a0 kernel/module.c:3895
[<000000006f58491f>] do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
[<00000000ee78baf4>] entry_SYSCALL_64_after_hwframe+0x49/0xbe
[<00000000241f889b>] 0xffffffffffffffff
It should goto 'out_free' lable to free allocated buf while kernel_read
fails.
Fixes: 39d637af5aa7 ("vfs: forbid write access when reading a file into memory")
Signed-off-by: YueHaibing <yuehaibing@huawei.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
---
fs/exec.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/exec.c b/fs/exec.c
index fb72d36f7823..bcf383730bea 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -932,7 +932,7 @@ int kernel_read_file(struct file *file, void **buf, loff_t *size,
bytes = kernel_read(file, *buf + pos, i_size - pos, &pos);
if (bytes < 0) {
ret = bytes;
- goto out;
+ goto out_free;
}
if (bytes == 0)
--
2.20.1
......@@ -143,7 +143,6 @@ features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch
# Security fixes
debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
bugfix/all/exec-Fix-mem-leak-in-kernel_read_file.patch
# Fix exported symbol versions
bugfix/all/module-disable-matching-missing-version-crc.patch
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment